You know how some of IL2000’s blog posts get straight to the point while others take their time? This second blog post in our cybersecurity series falls very much into the “taking its time” camp. But if you heed our piratical tale, we believe we have something interesting to tell you about one of the most misunderstood ingredients of a crippling cybersecurity supply chain attack: The element of surprise.
So grab a coffee (or a tankard of rum if you’re feeling adventurous) and join us as we go back in time to the early 18th Century and the Golden Age of Piracy.
1720, The Western Atlantic Ocean, somewhere in a desolate corner of the Bahamas
The first signs of danger were subtle and easy to overlook. The sliver of two masts and a flash of gray sail jutted above the palm trees of a no-name island, far to Starboard. The crew aboard the sturdy merchant ship, The Dauntless, glanced uneasily at the unknown craft before a stern word from the first mate sent them scurrying back to work.
Laden with a shipment of precious sugar and molasses, and two days into the long northward journey from Nassau in the Bahamas to New York in the bustling American colonies, the crew had good cause to mutter prayers to Poseidon (and complaints about their captain when safely out of earshot).
They were far from assistance.
The ship’s owner had foregone the added expense of an armed naval escort for this journey, favoring a quicker trade and bigger profits. An easy decision for a man whose most perilous deep water encounters were his monthly bathtub ablutions. Without defenses or allies, all The Dauntless’ crew could do was trim the sails and hope the trade winds stayed steadfastly in their favor.
A musket shot.
Splinters of mast and rope fragments sprayed across deck. A two-masted brigantine and two swift single-masted ships emerged from the mist, closing in quickly with black flags unfurled. The deeper boom of a cannon rang out, and a vast plume of seawater soared into the sky across the merchant ship’s bow.
The Dauntless’ crew valiantly struggled to outpace their piratical pursuers, but it was already too late. Their efforts were futile. As more cannon blasts laid waste to the ship’s sails and rigging — not to mention its stalwart crew — The Dauntless heaved to and foundered.
They were done.
Grappling hooks thumped into the ship’s railing and bit. The brigantine came up alongside. A scraggly bearded man with few teeth and even fewer ethical concerns about theft, death, and mayhem leveled his rusty cutlass at the ship’s captain.
The words the pirate growled next were filled with a distressing blend of contempt and malice. He spake the words every salty merchant mariner most feared:
“Prepare to be boarded.”
2020, A mid-sized packaging company somewhere in a desolate corner of Ohio
The first signs of danger were subtle and easy to overlook. It was a Monday morning, and the company’s transportation management system seemed unusually sluggish. Shipments were falling behind. Staff glanced uneasily at their watches but reasoned the problems must be temporary — an IT glitch perhaps? But the company’s older hands were scowling. There was a fell wind that morn. Deep down, they knew how vulnerable the company was to cyberattack.
They were far from assistance.
The company’s founder had approved only minimal cybersecurity measures, an easy decision for a manager whose most demanding computer challenges were a profit and loss spreadsheet and the occasional late-night marathon session of Assassin’s Creed Black Flag. Without a robust and secure approach to supply chain management, all the team could do was postpone a few meetings and hope the trucking routes stayed steadfastly in their favor.
A musket shot — well, figuratively, at least.
An important shipping deadline was missed when the freight team realized that critical contact details and scheduling information had disappeared from their system. Staff clustered around computers, anxious to assess the scope of the damage. It was the first real shot across the company’s bow. Something was seriously wrong here. This must be a cyberattack, the team muttered, hearts filled with dread. What else could it be?
That afternoon, the entire company, from its irascible CEO to its moodiest intern, valiantly struggled to outpace their insidious infiltrators. But it was already too late. Their efforts were futile. As more critical data losses laid waste to the company’s supply chain — not to mention its reputation — this mid-sized packaging company somewhere in Ohio heaved to and foundered.
They were done.
Then someone found the note, tucked away on the server’s admin drive, filled with a distressing blend of all caps, bold, and italics. The note issued the ultimatum every IT system admin most feared:
“Want your data back? You’ll need to pay our ransom.”
Surprise, cyberattack, and the world’s virtual ocean
OK, the harrowing tale of a supply chain cyberattack on a mid-sized Midwest packaging company might make a disappointing Pirates of the Caribbean sequel. (Although, to be fair, that movie franchise is already filled with some fairly problematic storylines.)
That said, there are some quite striking parallels between the devastating efficiency of piracy three centuries ago and the anatomy of a supply chain cyberattack today.
1. Your supply chain can be attacked from anywhere
From a global freight standpoint, the internet of the 2020s has the same kind of impact as trade routes across the Atlantic Ocean had in the 1720s. Both opened up grand new vistas of commerce. Just as the growing sophistication of oceangoing Atlantic trade changed everything, internet-mediated freight allows business owners to reach people, make deals, and corner markets they couldn’t have dreamed of otherwise.
But the internet, just like the great blue expanse of the Atlantic, is a vast attack vector.
Contrary to the pirate movies, a pirate ship would not last long against a naval vessel in a fair fight. Even a well-appointed pirate ship would be vastly outgunned by a naval ship. But that wasn’t how pirates operated. Why fight fair? These blackguards vanished into the ocean — laying low in seedy port strongholds, lurking in forgotten coves far from official eyes, plotting deeds most foul in the countless uncharted caves speckled throughout the islands of the Caribbean.
Pirates were no ninnies. They stayed invisible, gathered information, and waited for a lone trade vessel to tarry just a little too long and just a little too far from the proud white sails and bristling armaments of the British naval fleet. It was then, and only then, that a self-respecting pirate would strike, and strike he would with bold and ruthless ignominy.
Long story short: These dudes were sneaky.
The same can be said of supply chain cybercriminals today.
If your supply chain’s warehouse management system is bristling with online defenses, a determined hacker will find another way in — a long forgotten corner of your network, perhaps, or even a distant partner only peripherally connected with your supply chain. On average, a cybercriminal team will spend up to 11 days lurking on a breached system undetected, according to cybersecurity firm Sophos’ 2021 Active Adversary Playbook. By the time they play their hand, it’s often too late to prevent data theft and reputation damage.
How do you reduce the number of directions from which your supply chain can be compromised?
There’s the rub. This is a multifaceted challenge, but one critical part of the solution is maintaining strong situational awareness across the length and breadth of your supply chain. You need a way to tame the complexity, not just of how you ship your products but also of who you work with and the critical data points that tell you if your supply chain is working or if something is going wrong. You need robust supply chain business intelligence coupled with seasoned transportation management veterans, old salts who can see and let you know when a new threat lurks beyond the horizon.
2. The damage caused by a supply chain cyberattack doesn’t stop at theft
Even at the height of the Golden Age of Piracy, pirate activity across the Caribbean and Atlantic islands was limited in scope and scale. There were rarely more than 30 pirate ships in operation across the Atlantic Ocean, according to Military History Matters magazine, just a drop in the ocean compared to the vast infrastructure of oceangoing trade crisscrossing the seas in the same period.
So why was piracy so heinous?
What was so problematic about theft by bearded blackguards on the high seas that Britain passed a special law allowing a colonial or naval officer to sentence a pirate to immediate execution without the due process of a jury or even a trial?
Piracy created unacceptable uncertainty in an already chaotic world.
You couldn’t just measure the cost of piratical crime by tallying the gold they pilfered, the sailors they skewered, and the cargo they purloined. Pirates made whole trade routes less viable. By adding a hefty unknown variable to oceangoing trade, piracy destabilized global commerce and placed a steep additional cost on all mercantile activity between buyers and sellers who happened to be separated by the open ocean.
Pirates, quite literally sometimes, rocked the boat. They generated uncertainty.
Cyberattacks on supply chains impose similar costs. The uncertainty problem businesses face today is identical to the dilemma merchants faced 300 years ago. In a sea of uncertainty, they’re sailing blind.
The ever-present risk of cyberattack means companies are having to adopt a more defensive posture. Companies are spending more and more on online breach prevention and increasingly only enter into relationships with commercial partners who can guarantee compliance with best cybersecurity practices. For more information on how that conundrum plays out, check out the Partners section of our supply chain cybersecurity white paper.
Gartner estimated that 45% of organizations worldwide will experience a supply chain cyberattack by 2025. How can you combat supply chain uncertainty when it’s this pervasive? Again, that’s a darn good question. The difficult truth of supply chain cyberattack is that for most companies, a successful attack is inevitable. A mature cybersecurity strategy, therefore, is one that has a response plan in place as well as a prevention plan.
If the worst happens, the first few hours following a successful supply chain cyberattack are critical. You need a plan in place to limit the damage. You need people on call to help you mount a swift and effective response. IL2000’s rapid response capability means you have supply chain experts on call, day or night. Learn more here.
3. Cybercriminals have deep knowledge of how supply chains work
The most successful pirates didn’t appear from nowhere. Your typical pirate was not an individual who snapped up a thrift shop cutlass, acquired an amenable parrot, and eschewed regular hygiene in favor of fast living and bottom-shelf rum.
Many had been sailors.
Your typical 18th Century piratical crew likely comprised seasoned mariners with a deep practical understanding of how shipping, trade, and the whole maritime supply chain shebang operated.
In its 2021 analysis of software attacks on supply chains, Gartner found that a significant proportion of online attacks were made possible by malicious code that had been injected into supply chain management software while it was developed.
This means the attack began months — perhaps even years — before the threat became apparent. Moreover, the attack was led by a cybercriminal group with profound insider knowledge of the tools and workflows the targeted company used to manage its supply chain. More generally, by the time a cyberattacker makes their presence known, they may have been assessing weaknesses across your supply chain, undetected, for a long time. By the time your IT manager discovers that ransom note, it’s entirely feasible that someone out there has quietly become an expert in how to take your supply chain down.
How do you counter sophisticated supply chain cyberattacks? You need supply chain experts on your team, people with decades of knowledge of supply chain management — everything from the byzantine complexity of INCOTERMS, to how to track and trace shipments, to how to keep your company’s outbound and inbound freight operational through a raging hurricane.
Keep your supply chain afloat
Like the pirates of old, cybercriminals rely on the element of surprise. Supply chain cyberattacks are swift, sophisticated, and happen where they’re least expected.
IL2000 can strengthen your freight operation’s security with better supply chain BI, deep industry expertise, and rapid response capability. Don’t wake up to find your logistics dead in the water.